CVE-2025-13604 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the CleanTalk WordPress plugin 'Login Security, FireWall, Malware removal' affecting all versions up to 2.168. The vulnerability stems from insufficient sanitization and escaping of the page URL parameter during web page generation, which allows an unauthenticated attacker to inject arbitrary JavaScript code into pages served by the plugin. When a user accesses a page containing the injected script, the malicious code executes in the context of the victim's browser, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability has a CVSS 3.1 base score of 7.2, indicating high severity, with an attack vector of network (remote), low attack complexity, no privileges required, and no user interaction needed. The scope is changed (S:C), meaning the vulnerability affects resources beyond the vulnerable component, and the impact affects confidentiality and integrity but not availability. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to the widespread use of WordPress and CleanTalk plugins for security and malware protection. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for immediate attention from administrators. The vulnerability could be exploited by attackers to compromise user accounts or inject malicious content into trusted websites, undermining user trust and potentially facilitating further attacks such as phishing or malware distribution.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive information, including user credentials and session tokens, compromising user accounts and administrative access. The integrity of website content could be undermined by injected scripts, potentially damaging brand reputation and user trust. Since the vulnerability does not require authentication or user interaction, attackers can exploit it remotely with relative ease, increasing the risk of widespread exploitation. Public-facing websites using the affected plugin are particularly vulnerable, which could impact e-commerce, government, and service portals prevalent across Europe. The compromise of user sessions or injection of malicious payloads could also facilitate further attacks such as credential theft, phishing campaigns, or malware distribution targeting European users. Additionally, regulatory frameworks like GDPR impose strict requirements on protecting user data, so exploitation could lead to legal and financial consequences for affected organizations. The absence of known exploits in the wild currently provides a window for proactive mitigation, but the high severity score indicates that the threat should be treated with urgency.

1. Monitor the CleanTalk plugin vendor’s official channels for the release of a security patch addressing CVE-2025-13604 and apply it immediately upon availability. 2. Until a patch is available, implement web application firewall (WAF) rules to detect and block suspicious URL parameters that may contain script injections targeting the vulnerable plugin. 3. Employ strict input validation and output encoding on all user-controllable inputs, especially URL parameters, to prevent script injection. 4. Conduct a thorough audit of WordPress installations to identify the use of the affected CleanTalk plugin and assess exposure. 5. Educate website administrators and developers about the risks of stored XSS and secure coding practices to prevent similar vulnerabilities. 6. Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the affected sites. 7. Regularly review and update all WordPress plugins and themes to minimize exposure to known vulnerabilities. 8. Implement multi-factor authentication (MFA) on administrative accounts to reduce the impact of compromised credentials resulting from XSS attacks.